Massive, undetectable security flaw found in USB: It’s time to get your PS/2 keyboard out of the cupboard

Share This article

Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn’t plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we’ll outline below, this won’t always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it’s your PC, smartphone, external hard drive, or an audio breakout box, there’s a USB controller chip in every device that controls the USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.

The USB controller chip is the big chip in the middle (they don’t usually have a skull silkscreened onto them though).

This vulnerability mostly stems from the fact that USB, by design, is incredibly versatile. USB can be used to connect just about any kind of peripheral to a host machine — an ability that is only possible because of USB classes and class drivers. Basically, every USB device under the sun has a class — a classification that defines the device’s function. Some common classes are human-interface devices (HIDs; keyboards, mice), wireless controller (Bluetooth dongles), and mass storage (thumb drives, digital cameras). On the host (your PC, your smartphone) there are class drivers that manage the functions of that particular class of devices. This is why you can plug a USB keyboard into just about any device and it’ll work flawlessly.

USB hacking isn’t a new thing — but this is the first time that an attack vector hasn’t required extra chips and circuit boards, making a whole lot more dangerous.

The problem, according to SR Labs, is that these USB controllers can have their firmware reprogrammed so that they announce themselves as a different class. For example, you could reprogram a mass storage device so that it masquerades as a network controller, so that all of your network communications (websites, passwords) get redirected to the device. Or, even worse, you could reprogram the firmware of a thumb drive so that it becomes a HID, and can thus issue keyboard and mouse commands to the host machine. These commands might be used to install malware, or to rewrite the firmware of other attached USB devices. Suddenly you are sitting on a computer worm of Conficker proportions that could take down most of the world’s devices.

While finding a security hole in USB isn’t exactly a surprise, the main issue here is that there’s no immediate fix. As of today, there could be billions of USB devices out there with firmware that could be reprogrammed by a computer virus — and, according to SR Labs, it’s impossible to spot the modified firmware unless you know exactly where to look. (It took months for SR Labs to reverse engineer the controller firmware, and it doesn’t sound like they’re giving up their secrets any time soon.) The security researchers also say that malware scanners can’t access the firmware of a USB device — so you can forget about that angle, too. SR Labs says it will release more details and proof-of-concept tools at Black Hat 2014 on August 7. [Read: How USB charging works, or how to avoid blowing up your smartphone.]

PS/2 mouse and keyboard sockets: Still safe

It would be possible to mitigate against this attack in the future if every device maker signed their firmware, and then your computer checked that signature every time you plugged the device in — but I suspect, given the scale of the USB device ecosystem, such a change would take months or years to adopt. Another option would be designated USB ports on your computer — so, you might have a port that only accepts mass storage devices, and is completely incapable of handling other classes of USB device. [Read: How to watch hacking, and cyberwarfare between the USA and China, in real time.]

Ultimately, though, the only real mitigation is ensuring you only use USB devices that you trust. It’s basically like unprotected sex: If you plug your USB memory stick into another computer, you should then assume that your memory stick is forever compromised. The problem with this approach, though, is that your own computer could infect your USB devices without you knowing — and unless you’re a very careful surfer, it’s very hard to keep your computer completely malware-free. Which brings us back to the beginning of the story: Maybe it’s just best if you don’t use USB for a while.

Fortunately my cupboard is full of PS/2 keyboards, parallel printers, and stacks of rewritable DVDs for exactly this kind of apocalyptic occasion…

Tagged In

Post a Comment

and I’m betting the NSA and other alphabet groups already knew this years ago

wonderYrednow

Look up how they implemented the StuxNet v into Iran.

MadisonHJ

Yep, we’ve all been infected for a long time now.

wonderYrednow

I’m gonna take an extra long shower….

Avatar1337

I don’t think they got their hands on every USB device -__-. I am however hesitant to plugin my new USB memory from China now.

wonderYrednow

It might be OK if it is done ‘Long Distance’…?

CrustyToenail

Upvote for trying desperately to continue making innuendos. Keep up the good work.

wonderYrednow

My habit, and I readily admit it is a bad one, is to reply to every comment on a thread that is sent to me.’-)

CrustyToenail

“The truth is that everyone is bored, and devotes himself to cultivating habits.” -Albert Camus

wonderYrednow

A grape man, truly, and grape vines unruly. -Camus Vineyards Napa CA

CrustyToenail

I’d say you’d have to be just as concerned about “made in USA” memory sticks. And plus, the issue isn’t the site of manufacture alone. If the memory stick or another usb device is intercepted and loaded with bad firmware along the way, you’re just as screwed.

Jan Gretza

Actually, everyone with an understanding how USB works knew this. It’s no news at all.

tekdemon

Of course it’s been known, go look at DoD policy on plugging in any kind of USB device to a military computer. Even at VA hospitals they’ll flip out if you attempt to use a USB thumb drive for something. I don’t think anybody has really thought USB devices were secure.

Cap_Curmudgeon

USB thumb drives have massive memory and they often store autorun drivers so they will be recognized AND installed. That may be true of some other devices, too, but thumb drives are probably the riskiest.

John

The basic facts are correct – and have been known for some time – but the spin is absurd.

Kyle

Really? How is it not real, people have known about this stuff for years. If it has memory then it can store malicious code period. Doesn’t matter if it’s a battery that has memory or a keyboard or anything. If it can store information it can store malicious code. Also using ps/2 ports doesn’t stop the fact that a keyboard/mouse on ps/2 ports can still send malicious code..

Jan Gretza

Storage can’t “send instructions to the cpu”. (And an “instruction set” is a totally different thing, BTW.)

Kyle

I have seen malware implemented through peripherals via the storage of that device. It’s not about the device sending instructions, it is the computer accessing the peripheral and then pulling the malicious code from the memory of the device.

Jan Gretza

That’s only possible if you actively activate the USB mass media autoplay feature of your OS (or use an outdated OS that has it active as default), which no sensible person should do. There is no way a USB device can initiate code execution on its own.

Damon

“There is no way a USB device can initiate code execution on its own.”
…. apparently, now there is….

Cap_Curmudgeon

uPNP.

Kyle

You’re assuming that everyone knows as much about computers as we do. The majority of the population that uses computers don’t even understand a computer. To them it works like magic. So what makes you think that they would even begin to understand securing one. They also want ease of use, so why would they disable a feature that makes it easy to use(IE less steps to turn on a device). They just want to plug in the device and it automatically do what they want. That is the typical consumer.

http://www.ledgersmb.org/ Chris Travers

I would still expect the obvious implications of uncommanded keyboard/mouse inputs to be readily detected by the most novice user.

http://www.ledgersmb.org/ Chris Travers

Not really. But mocking up an internet connection or keyboard/mouse inputs to install malware is hardly trivial or undetectable unless it is an attack by the sorts of people who would just as easily succeed by another means.

http://pirrate.me/ Nick Shvelidze

AND there’s no way for an unprivileged program to gain write access to an USB device, well, unless it’s on Windows, but Windows is a massive security clusterfuck by itself.

Adam von Gaertner

Your right mark, another company pointing out the obvious for recognition i guess.
My problem with their assessment is that it can’t be stopped. If this malware can be written to memory there is no reason that it can’t be overwritten with a firmware update. Secondly, what about the end of script? When the code gets to the end to install the USB driver, does it just restart installing a secondary malware driver? And if it doesn’t, how is it finding it’s way into the original driver code without causing compatibility errors? And if this driver software is trying to reach out to an external server to send files that kind of interaction would be outside of the drivers scope and shouldn’t execute. They of coarse provide little detail as to how they came to these conclusions, but i seem to remember malware program that infected GPU’s. This was years ago, but i think we looked at one in our labs that had an infection like this. We flashed the memory using bus pirate i believe and all was good. Why can’t this be done on these devices?

Jan Gretza

Drivers aren’t installed by the device itself.

Damon

“If it has memory then it can store malicious code period. Doesn’t matter if it’s a battery that has memory or a keyboard or anything”

yes, but you generaly wouldnt consider a cheap USB keyboard as ‘having memory’. usually, if a keyboard is hacking your computer, it has someone banging on the keys….

1. Apple didn’t build FireWire adapters for PCs, or manufacture the chips. They owned a few key patents, for which they charged $0.25/unit. Hardly unforgivable — unless you’re a rabid Apple-hater.

2. FireWire doesn’t do most of the device classes which this security hole involves. USB is insecure because the device can mimic just about anything. FireWire doesn’t do that. There’s limited utility to a hacker in a FireWire hard drive pretending to be a video device, or vice versa. (You CAN use FireWire for networking — but not to connect network adapters; FireWire networking involves using FireWire cables as the actual network, since FireWire, unlike USB, is actually peer-to-peer in structure, rather than master-slave.)

In short: you fail even at trolling.

g13man

to the vicar ,

1.A] actually AAPL use to charge1.00 / unit , that was one of the reasons inustry was quick to adapt USB even tho at the time it was slower ..

1B] i do have a [pci] fire wire adapter , and true AAPL did not manufacture it

2.A true , but fire wire was faster at its impimantation then USB. ,[

2B ] and usb did not work all classes at first either [ remember MSFT oopps moment when the printer did not work ?]

[ In short: you fail even at trolling ] nice when i fail sometimes, is it not ? [lol - have a nice day ]

zdaxxy

So I have to steal your USB device and tell it to pretend to be something else, flash the new code, then put the USB device back without you knowing I took it and then wait for you to plug it in. So the thumb drive no longer works, keeps saying it it a keyboard so you unplug it and toss it in the garbage but success! My code has run and I have changed your homepage to 10 hours of Nyan Cat on YouTube.. W00T!

http://www.mrseb.co.uk/ Sebastian Anthony

Nah, much more likely attack vector is:

1) You get malware on your PC (using some kind of zero-day vulnerability) 2) The malware reprograms the various USB devices attached to your PC (including your memory stick).
3) You plug your memory stick into another PC — and then the malware spreads like a worm.

It’s then a question of what you DO with the reprogrammed devices :)

zdaxxy

Host-Slave mode… would loooooove to see the malware code that installs and reprograms the controller on the fly. I really do not think that is possible like that. Locked controllers, burned chips, etc.. Rewriting a pressed CD? HMMmmm….. Flashable units, ok… no problem…

teatoker

why would USB firmware have write access from its USB interface? shouldn’t that be read only?

John

Good questions. The scare mongering here is nonsense. The logic controlling most usb devices is NOT even re-programmable. T

teatoker

i guess the problem is some USB devices may have been maliciously designed to be re-programmable. even so, i have no idea how you could use the interface to reprogram the interface you are using… it would be like someone performing brain surgery on themselves, half way through, you would forget what you were doing and die.

John

There are potential problems, yes, but none which justify the scaremongering. Given the cost of making things reprogrammable, and the low probability of the right malware finding the right hardware in the wild – I think (?) its more likely that someone who embed the malicious code at the time of manufacture.

Damon

yup, but there goes buying cheap flashdrives directly from china… but then again, im pretty sure 99% of flash drives are made in china anyway….

jim moore

All NAND flash memory chips produced in the world are manufactured overseas.

Damon

likely so, but it is not the NAND flash chip that is the probelm, it is the controller chip that has the potential firmware issues…
(http://janaxelson.com/usbchips.htm) check out a few of the manufactures, some of these are produced in US fabs…

jim moore

Thanks, I will check them out. There are a lot of crooks in the USA as well.

It usually is. Some can reprogram themselves (“firmware update”) over USB, but you’d have to know the proprietary protocol used to do so and the specific instruction set used by the chip. It’s not like computer malware that runs the same way on every PC.

teatoker

i don’t see why they would do that, wouldn’t they make more money if they forced you to buy a new device instead of updating?

Bill

Sure, I love it when customers write terrible reviews about my company’s products because they were built with a firmware flaw that can’t be fixed without buying a replacement. It really ensures that I’ll make lots of money in the future from other customers. ಠ_ಠ

ace42

Laziness; a desire to make them easily upgradeable with future firmwares; incompetence; apathy; stupidity; and of course malfeasance.

Bill

The malware reprograms the various USB devices attached to your PC

How? Have you ever developed a USB device? Do you realize that every one uses different microcontroller hardware, and most can’t even be firmware-updated over the USB bus?

Adam von Gaertner

Your right bill. This is just silly. You need something like bus pirate to program these things. You cant just run a firmware update to the chips memory. If i cant program firmware without some kind of hardware interface controller, how are these people doing it. Sound like bunk to me.

Bill

On some you can run a firmware update to the chip’s memory, but the way you do it is different for each chip, and your program would have to be tailored for that specific chip. Malware authors would write stuff for Macs or Linux before they bothered with microcontrollers.

Adam von Gaertner

I agree. I was wondering how they could pack in all that code. And all that code on a such a small bus just doesn’t seem possible.

wonderYrednow

007 and Jason Bourne will help….

JD

I see it happening something like this:
Attacker walks into a bank with an infected flash drive. Spots an empty desk with a computer. Walks by and pauses long enough to insert the USB stick into the back of the computer and then continues on.

The next time the user of that computer boots it up and logs on the attacker owns it because it’s very unlikely the user would notice the USB drive.

TheDudeAbides

Uh, most larger banks typically have USB drive blockers on their machines.

Damon

actually, they block certain USB device classes such as mass storage devices. It is as simple as one setting in the registry and can be remotely implemented via group policy at the network level. However, it wouldnt help them if your thumb drive presented itself to windows as an HID.

Jan Gretza

Except that you notice what’s being installed, since it’s done the very same way a human would do it with keyboard and mouse. No way to hide those actions.

Bill

Yeah I’m sure no one would notice when they plug in their new USB hard drive and their mouse starts moving by itself and their email compose window suddenly starts filling up with code being typed by a HID keyboard device. Totally not obvious at all.

Skywalker

This kind of techniques have already been applied in successful attacks, for example to have a mouse auto-click a windows confirmation window before the user can see it.

Bill

Where? Show us some real-life examples.

duh

Seriously your that stupid. It has nothing to do with drivers they are talking about the firmware on the controller chip and it doesn’t render the chip unusable it just adds extra code. So it will operate as per usual but also do unwanted things. Think for a minute it doesn’t have to be in the USB drive someone can hack into your computer and reprogram the firmware and yes it is a big deal because it was just suspected now proof of concept code is going to be avail and many people can utilize a place on your devices to hide their code and the key to get into your network.

http://www.ledgersmb.org/ Chris Travers

Far more than that. Look at the attacks implied:

1. Scenario 1 involves a fake network adaptor. Pulling this one off convincingly also requires emulating the internet in the device, or at least a convincing subset. It also requires effectively having the host bring the network adaptor online and set up routing information. This could be done with DHCP (emulating a DHCP server on the device). But there is still user input required for many OS’s so there is still the need for the HID exploit too. So now you have gone from a mass storage class to a mass storage class device (so the user doesn’t notice the missing storage) plus a network interface, plus emulating the other side of the network, etc. plus HID emulation and uncommanded inputs. This is not going to be easy to pull off without detection unless you are making custom hardware. Maybe the NSA could do it.

2. Scenario 2: HID attack to install malware. So the MSC device is installed, and you also emulate a second HID device which clicks through various windows (or opens a command line and types, which is probably easier) to install malware. For this to work it has to pretend to be user input, so the user notices mouse movements and typing that he or she isn’t entering. There is no user who, if present, won’t spot this and realize it is a takeover of the computer. So to pull this off, you *also* have to distract the individual with a real-world distraction at the time of the attack.

Again, these are hardly undetectable by users. They are not very good attack vectors compared to, say, spearphishing.

SnifferDog

Let’s see……

USB flaw discovered in Berlin. Check.

US Spies discovered and arrested in Germany. Check.

So the Germans either debriefed the US spies and discovered how the US was spying on Germany,
or,

once the US spies were discovered, Germany has been working overtime trying to figure out how the US was spying, and they stumbled on this USB flaw.

Marc Guillot

I would hate to see USB connections losing its versatility (connectors only for mass storage, connectors only for printers, connectors only for monitors, ….). Even the digital signatures isn’t much more appealing, it looks like it will increase prices.

Wouldn’t be better to make them run their firmware on a sandbox (a virtual machine) ?, so any potential dangerous instruction can be intercepted.

Bill

run their firmware on a sandbox (a virtual machine)

This makes zero sense.

Marc Guillot

Java Virtual Machines, for example, have a long story of sandboxing the execution of untrusted code.

Firmware runs on an embedded microcontroller inside the device, not on your computer.

Marc Guillot

Yes, my bad, I was talking about the driver that the firmware installs and runs on the computer. You can run those drivers on sandboxed virtual machines.

Jan Gretza

The firmware doesn’t install any drivers on the host. The operating system does that, solely based on the devices ID, and if the OS doesn’t find the drivers in its very own databases (shipped with the OS and online), it needs user interaction. The device is never even asked for the driver.

It’d really be nice if people wouldn’t speculate on solutions based on speculations on the functionality of complex hardware when they don’t have a clue how things work.

Marc Guillot

I’m making speculations over the content of the article. If you find any inaccuracy feel free to correct it and enrich the debate, but there is no need to be an ass.

Guest

how could you detect if an instruction is dangerous if you haven’t run it? and wouldn’t this just result in a prompt that users will click through without reading? “do you trust this USB device: ok / cancel”

Marc Guillot

Because you run it on a Virtual Machine. Java Virtual Machines, for example, have a long story of sandboxing the execution of untrusted code.

It is not a new idea, and this story is completely overhyped. Most microcontrollers can be locked when they are flashed so that it is not possible to reprogram them. Also it you were trying to hack a use controller on an existing device, you would have to specifically target the exact type of microcontroller in the device. You can buy USB devices with this kind of malware already installed, and have been able to for years.

Jon Gauthier

You’re forgetting that the malware could be installed at the time of manufacture. Things like that are easy to do in countries where industry and government are closely knit… How do you think WWIII will be fought?

David Spake

Oh, I agree that there is some hype here, but from an IT Security perspective, it’s a frickn’ nightmare. Let me tell you, I can see NIST and other Federal agencies loosing their minds about this. I say that because, although mfg’s CAN lock the microcontroller, the question is DO they? Cheap and fast is the order of the day, and who knows what kind of shenanigans are going on under the covers of these microcontrollers.
Another question: how many USB microcontroller mfg’s are there out there? There might be hundreds, but I’d suspect a lot fewer, thus a smaller number that some malware would need to attack. I’m not saying it’s easy, but with a small number of mfg’s, it would be a lot easier. Heck, I’d bet that the mfg’s of devices (say Dell, HP, Samsung, etc..) don’t even know what the micro-controller is in their keyboards/mice/etc…

Having some kind of ability to checksum the the micro-controller firmware would solve the issue, but geez… that assumes you could get reliable hash values from someone.

Christopher Mallmann

the point is, malware like that COULD be injected during the manufacturing process, and some manufactors COULD forget to lock their controllers…all of that has been possible for many years now, just like with backdoors in routers, etc.
While it _is_ serirous that there’s no immediate fix for this, from an enduser’s peropective, it really isn’t that big of a deal, the reason being that the old rule still applies: thou shalt not taketh a stick from foreigners (or something along those lines^^). As for the possibility of infecting the usb stick through your own computer, that has always been a possibility once your computer is comprimised, which brings us back to the even older rules of “act responsively on the Internet, keep your system and AV software up to date, etc.”

Adam Temple

SO LETS FUCKING TELL EVERYONE ABOUT IT SO THEY CAN EXPLOIT IT. MEDIA IS THE DAMN PROBLEM

Brian

Wouldn’t you like to know? Imagine finding out your car should of been recalled 6 years ago because it could spontaneously explode lol

T.Doom

…after plugging in a malicious USB device designed to do just that.

Marc Guillot

Yeah, don’t tell anyone so they can’t protect themselves. Way to go.

Don’t worry so much for them, the hacker community don’t need the press to share those exploits.

well, then don’t use off-brand USB devices, or devices made in foreign countries.

Brian

You seem to think your government wouldn’t dare spy on it’s citizens……

teatoker

i know they do, but your government would only give you spyware, while foreign governments might give you malware.

Brian

I think the best bet would be to put random info on flash drives so when they hack my drive the most they will get is a poop schedule.

teatoker

a compromised USB drive could have full access to everything on your hard drive, and it could use your computer for distributed denial of service attacks if its connected to the internet. these kinds of attacks are not about the data on your flash drive being stolen, its about random malicious code that your computer trusts enough to run without your permission when you plug in your drive. all because most people were too lazy to install their own drivers manually, they made the process automatic.

Brian

I think it’s about everything. Even manufacturing a scapegoat to suit a particular need. Want to frame someone? Inject code that could run a google search for lye, shovels, rope, drugs, duct tape, and “how to get away with murder”. Seems easy enough.

teatoker

exactly. if a virus can rewrite the firmware of a USB stick, that is basically game over for security. it can do absolutely anything, which is why i have a hard time believing most USB manufacturers would allow a firmware rewrite through the USB interface, unless they wanted to compromise your system. but if they wanted to do that, it would probably already have malicious firmware to begin with.

courts should not be allowed to use search history as evidence because it can allow hackers to easily frame people.

Jan Gretza

Wrong. It’s about your USB device acting like someone using your mouse and keyboard. That’s very much noticeable. It’s absolutely impossible that a USB device runs any code on your computer directly.

Damon

Its not the drive itself that is hacked, its the firmware in the controller chip. Its like saying get rid of windows when the BIOS has a virus….

TheDudeAbides

Most USB devices are not made in the U.S.

Buba Einstein

That’s a great idea, could you send me a list of America made devices, such as flash drives, digital frames, phones, keyboards, wifi routers, external drives? I’m having problems finding them.

egil222

The writer of that article seems to be under the impression that USB controllers are running firmware resident on EEPROMs, AND that there is support on the devices for USB-hosted programming (in other words, an onboard USB programmer – usually something that is a separate device.)

OR – that the devices are coming from the factory with malicious firmware – and that gonna be the case for pretty much any device you buy. Think about it – any network adapter you plug into your machine POTENTIALLY comes from the factory with firmware that does all sorts of nasty stuff.

The idea that any random normal USB stick can be reprogrammed via USB is just plain silly.

http://www.mrseb.co.uk/ Sebastian Anthony

That’s exactly the implication from the German researchers. But yes, we do need more info on what controllers are actually vulnerable.

MadisonHJ

Hmmm, I’ve been booting Linux from a USB device. Think I’ll be going back to an actual CD.

didnt some foreign governments hand out “free” usb memory sticks last year and the year before ? Russia.at the g20 meetings…and someone else at the UN….Both of which were tied to spying attempts by the givers,as the sticks were setup to covertly capture data on their own.

nik

I really hate to break some more bad news. But, you know that PS2 can use USB right?

Jan Gretza

No, it can’t.

http://www.ledgersmb.org/ Chris Travers

More to the point, a PS2 keyboard could be modified to send keystrokes too……

sacredjunk

PS/2 = Legacy Keyboard / Mouse port
PS2 = Playstation 2

What are you referring to?

nik

Oh right, need to spell it out for people who can’t think. YES LEGACY.

Kaal Dewar

Yet another excuse for companies to say – “This is the only USB – cable / adaptor / peripheral you can use safely” only £49.99! Your safety is important to us! Like apple and the Chinese cables that came from a different factory than the ones they supply!

Oregonerd

Might be able to snip one of the MCU pins used to flash if it is not being repurpsed in the design. Time for a mech switch for reflashing maybe? Oopsie.

A. J.

So, why wouldn’t a fix be to have your OS alert you when a USB device is plugged in indicating what class of USB device was plugged in? That way if you plug in a flash drive and it announces that you plugged in a keyboard, then you can realize that something is wrong.

David N

Many devices are composite devices. A webcam might include a video device, a still camera device, a microphone, and a HID (keyboard device) for the little button on top that you can press to take a snapshot. The complexity involved in displaying all of this to the user in a way that they can understand likely limits how useful it will be. Peoples’ eyes will just glaze over and they’ll just click OK because they want to use their device and not be bothered by a bunch of technical information.

The keyboard case in particular sounds attractive (don’t worry about all devices, just pop up a warning if you connect a device that is able to send keyboard/mouse events to your system), but, AIUI, many devices use the same “HID” device type to send basic events to your system, and you can stick keyboard events in that. I’m not sure how easy it is to distinguish between a keyboard and webcam that has a button on it to trigger a snapshot.

David N

Wow, sensationalize and clickbait much?

Clever malware (already on your machine) can reprogram some USB devices to aid in their reproduction. Interesting but not at all surprising. Malicious USB devices (built that way or reprogrammed by malware) can do malicious things to your system. This one is neither interesting nor surprising. Both attack vectors might allow clever malware to spread by or hide out on normal-looking hardware. I’m more concerned about fake USB chargers that act as USB hosts to reprogram your *phone*.

Digitally signing firmware might help with the malware-instigated attack, but not a state-sponsored attack. It’s also unlikely to get widespread adoption, given how many software installations today warn me about a lack of a digital signature, decades after they were invented.

Different ports for different types of devices seems ludicrous. People aren’t going to understand why different ports exist and this seems to preclude composite devices (how would hubs work? keyboards that have built-in hubs?), unless you make it acceptable that some “restricted” devices are allowed to be plugged into “unrestricted” ports to take advantage of these features. And once people get used to ignoring the different port types, how is that a solution?

Focus on protecting the system from misbehaving or unexpected USB devices: don’t let a new input device be able to send input events until you authorize it (NFC? a “pair” button on the computer case?). Don’t automatically start routing network traffic over a new USB device (explicitly enable it first). Don’t automatically load or execute stuff on a USB storage device (does any OS do that nowadays?).

Machin Shin

This is not really new. The “Rubber Ducky” has been around for a while now and is exploiting the same weakness in a system. Computer assumes a HID device is safe, so a usb device presents itself as a keyboard and types a small novel worth of code in a few seconds. Only thing “new” in this is the idea of hijacking existing USB hardware instead of having a talor built device.

http://domainseller9.com Domain Seller9

Thumb drives used to have a hardware write-protection switch that put the drive in read only mode. Could that block malware from updating firmware? Hard to find those anymore though.

Unlicensed Dremel

If it’s undetectable, how was it found?

Jan Gretza

By coming up with the idea? D’uh…

eddie sailes

There are methods for mitigating this threat as outline by the SANS institute and yes this has been know about for sometime now dating back to at least 2009.

This smells like a promo for SR Labs. The secret will be revealed at
Black Hat 2014.
Wait a second, never mind. I just noticed a better story: “Cold Fusion”.

Tune My Heart Lord Jesus

Electronics from China and other foreign nations has made its way into high-security installations with malware factory installed. Good idea to send all the manufacturing overseas, right?

ssh83

Great fear mongering. Nothing new here. USB trojan devices have been in existence for a long time. The reason why they haven’t made the news is because of the inherently slow spread/infection rate of physical mediums such as USB devices. USB trojan is only good for a targetted attack (ex: you really hate your brother, but he’s too smart to click on a phishing link) or against closed circuit systems, but even then, USB is just one of many ways to achieve the same goal. Some physical devices don’t even need to be plugged in to infiltrate your security. >:)

Brad Harris

I think you meant to say: “undetected security flaw found”. If it was undetectable it wouldn’t be found! Don’t take offense, I’m just pointing out the humor in the title.

Cory Ducey

I was thinking the same thing. The grammar of today’s “writers”…

Joakim

I could also give someone a PS2 keyboard as a gift with a malicious controller typing these keys when the keyboard has been idle for a moment (user possible away): Windows key + C + M + D + CTRL, SHIFT and ENTER (at the same time) + Arrow left + Enter. To to open a CMD window with administrative privileges where malicious commands may be typed in to install malware.

David Trimble

This is old news, it has been known for years that firmware could be reprogrammed for malicious purposes. We have yet to have many proof of concept. An attack such as this, is still detectable by examining network traffic, assuming that a type of virus affecting the firmware wants to communicate to an outside source (they always do).

The same type of security vulnerability affects anything with firmware. Your CD drive, your hard drive PCB board, etc. Given the difficulty of such an attack, this type of attack would mostly be state sponsored.

WeirdBeard

Jeff Goldblum exploited the USB security flaw in “Independence Day” when
he uploaded a virus to the alien mothership, causing a massive
explosion.

usfour

This is sensationalist journalism. USB rewriting of the OS is not proven, elevation of privileges has not shown rooting and anti-virus can easily scan removable devices already so expand it to all USB devices. Done.

Joakim

Why pretend to be better knowing when you are not? An antivirus program can not scan the firmware inside the USB device.

usfour

It’s unfortunate you got offended, I stand by my comment of an article about unnecessary hype for a flaw that has been around for years longer than your career. As said in the article AV can warn you for unsigned firmware – therefore – use at your own risk – Same as installing an unsigned piece of software, albeit much much less often. Physical access to any device pretty much eradicates security, which is the end of the story.

mjdawlv

USB is normally used for low-end peripherals like a mouse & KB.
Maybe a external HD also but even that is only on when needed.
So how will it effect my mouse & KB effect me then?

GranFaloSentado

So someone can reprogram my USB-controlled vibrator and get hijacked by a malevolous p0rn hacker.

GOSH! That’s not good.

James Riendeau

If antivirus can’t access the firmware to scan it, how could malware access it to reprogram it?

dc

I didn’t think it was possible, but I feel that internet and computer security is worse today, or more flawed today, than it was 10 years ago.

http://eddiestarr.stumbleupon.com Eddie Starr

This is not new information…..
Did you know that since usb 1.0 (in 1996) these capabilities have existed.

Having the ability to re-adjust firmware settings allowing data collection, utilizing USB for neferaious purposes has always been something a badly intentioned hacker could utilize.. Does anyone remember Stuxnet ?
Viruses can Auto-Run when a USB drive is plugged into a system
USB Drives can even be used to “Pre-Boot” a system and completely bypass
an operating system to give a bad intentioned person, full access to everything in your device.

Boris

“Ultimately, though, the only real mitigation is ensuring you only use USB devices that you trust”
And the only USB device you can trust is one that’s never been inserted into an infected computer, right?
Because a virus (say, from a hostile website) could very well silently reprogram that USB device.
Not good.

yvette99

> As of today, there could be
billions of USB devices out there with firmware that could be
reprogrammed by a computer virus

>The security researchers also say that malware scanners
can’t access the firmware of a USB device

Um, what? Both of those can’t be true. Software is software.

majenkins

I didn’t go down far enough to see yours but I say somethign very similar further up. FUD!!!!!!!!!!!!!!

T.Doom

Is this article by Chicken Little? Virtually anything with a firmware can be reprogrammed if you have the tools. The BIOS in your PC can be reprogrammed. This amounts to trusting every single electronics manufacturer to not add malicious code to their devices.

This article did point out “It took months for SR Labs to
reverse engineer the controller firmware, and it doesn’t sound like
they’re giving up their secrets any time soon” which means it won’t be easy to figure out the low level code to reprogram a firmware unless one knows specifics about the physical firmware itself.

In addition “security researchers also say that malware scanners can’t access the firmware of a USB device”, so what makes them think that random malware can easily access and reprogram the firmware of a USB device, especially if they are made to be be read-only?

http://www.princevansconsulate.org/ Prince Evans

The thugs are on again. But we’ll beat them, as always. Ha!

jburt56

Visions of elint satellites talking to your mouse.

dfbddfhb

Well we can make USB 3.1 better i guess!

Jason Robert Nelson

Generally speaking, things are considered to be “safe” if they are completely in your possession and untampered with… But I suppose if you let some virus get into your system, it could hide itself in your USB firmware and you’d basically never get it out without removing the infected device. But if you come home and see your computer typing on its own, then it would be pretty obvious that you’ve been hacked… so get your shit fixed.

Your USB mass storage devices could potentially start behaving like keyboards and start submitting all your kiddie-porn to websites while you’re sleeping too. Have fun with that one.

Jack Hsiung

BS stupid article doesn’t make sense.

a usb device can’t take over your computer, period.

ronch

In other news, microprocessors found to be untrustworthy due to their programmability!!! A new study has revealed that any programmer can write code which can run on your computer and do whatever the programmer wants your computer to do! Beware! Whatever you do, if you value your security, DON’T USE THE INTERNET and STAY AWAY FROM YOUR COMPUTER!!!

ronch

Extremetech just gave a bunch of budding hackers out there a new project to work on.

Geoff Breedwell

This is old news in the security community. Seriously. This is old.

sailersteve

I bought 2 glow in dark key boards & 2 mouse package for $7.oo . I swarr after i plugged in USB from key board my laptop got infected . I used Malwarebytes Anti Malware free & did custom scan, it cleared up. The next time i put my laptop away & brought it back out i plugged in glow in dark key board it did it again . So now when i have to take my laptop with me i expect to have to Malwarebite it after i plug in the keyboard . It seems like it only affects my other wire less mouse funktion & page speed, W / feakqunt stoppage , videos stop & start etc,,, After scan works great , only happens after first plug in USB key board . I KNOW THE KEYBOARD IS FUNKY !!! but hay i like the keyboard , it convenant !

Joseph Hassler

The way the author started the article, I thought was informative. Yet the way it ended made me question if he is composting this article in his bomb shelter ….

http://www.mrseb.co.uk/ Sebastian Anthony

My articles are often like that :)

Sadly my house doesn’t have a basement. And I haven’t yet found a bomb shelter with decent WiFi (the walls are too thick I think :(

Mojo

So do you think that USB is doomed, and another shall eventually take its place?

davedogman

Gotta have a dramatic title for the clicks. Troll.

John Lapizdin

Idiots fear and BS: It is detectable it is controllable. In Linux zero CDs are blocked on modems, to prevent unneeded driver request, why same could not be applied for keyboards and other devices?

Krist Martin

This is rather old news actually, by nearly 20 years. The USB developers knew this vulnerability existed way back with Win 95. Said vulnerability has been patched several times and worked around and will be patched again. It’s even the basis for USB keyloggers. Almost anyone can reprogram the firmware if they have the right software.

PS/2 would be best to fall back to but an awful lot of modern computer mainboards don’t have ps/2 ports.

Elizabeth Simmons

Won’t change how I work (plus I still use PS/2 kyb ) … besides, what OTHER firmware changes are possible that we don’t know about. Highways are dangerous, but I’m still driving.

Vidya Wasi

Conspiracy theory: NSA helped develop the usb specifications.

Seriously though, I thought people knew about this attack vector already since some companies completely disable and block off the usb ports.
Another lost chance to make profit.

Tony_IA

Can’t they just “lock” the firmware so it can’t be overwritten? I can’t think of a single time I’ve upgraded the firmware of a USB drive. I just fail to see how locking the firmware is so…complicated. Of course, I’m sure someone has a reason it is accessible and changeable…probably having to do with “it’s cheaper to leave it that way”….

Skywalker

Signing is an easy way of having the firmware both changeable (if you need to update it, for example) and trustable. As long as nobody has broken the signature of course (this is not impossible, iirc the virus which infected the iranian plants 2 years ago was hidden in a windows update signed with microsoft certificates, but I doubt that someone who has “cracked” the signature of a big company would “burn” it just to infect my PC).

Tom Scharf

“Signing” is for the USB driver on the PC, not the USB device. The USB device can present itself as a standard keyboard and the signed USB driver will work just fine.

BillBasham

Every time my wife comes back from a trade show she has some sort of crazy form factor USB thumb drive that someone has given her as show bling.

At least now I know why…

davedogman

Sebastian Anthony. Next time I see your name I’ll quickly move on to a more serious article. Really infected USB sticks can infect your computer? oh wow breaking news

http://www.ledgersmb.org/ Chris Travers

I am having trouble imagining a viable attack in this way though. If you have fake networking, you’d have to be able to fake what’s on the other side pretty convincingly for an extended time to get the passwords. It is possible, but spearphishing is far more practical.

For HID, again, you’d need an extremely targetted attack. And the user would at very least see that the computer had been taken over by someone else (mouse and keyboard uncommanded inputs are not exactly invisible). So a successful, undetected attack here would necessarily involve another part, namely distracting the user with something non-computer-related while the attack took place.

In other words, this strikes me as a relatively non-issue. Once you allow all kinds of input, you allow all kinds of automated and mocked up interactions. That’s a general point.

Frankly if someone gained access to my computer via a rogue USB device, i’d be more concerned about the security of my front door than the security of my computer, scaremongering at it’s best and most ignorant. on the other hand if people could stop using software like Microsoft Windows on their computers, the world would be allot securer.

Tom Scharf

Another really bad article. Apparently click bait I suppose. I think I ‘m going to start avoiding this website, it is really going downhill.

The world is ending,…somebody told us that….but didn’t give us the actual details other than a vague overview. Awesome journalism.

For the record….

1. There isn’t just “one” USB firmware on all USB devices.
2. There isn’t just “one” type of USB controller.
3. There are thousands of different USB controllers out there.
4. Most devices do not allow their USB firmware to be re-programmable.
5. Different USB controllers use totally different types of code, 8051, MSP430, ARM, etc.
6. Reprogramming the firmware will disable the original function of the device.

The fact that some company got a micro-controller developers kit that allowed USB firmware to be reprogrammed (that’s what these developers kits are for) does not constitute an “exciting finding”. PIC micros have several different examples of different USB classes free for download.

The insinuation in this article that any and all USB devices are at risk is a ridiculous assertion.

Viruses have been spread via USB drives forever. This article’s “massive exploit” is fundamentally much harder to do, can only effect a scant few devices, and is much less effective than thumb drive virus.

gremlin22

This is a great exaggeration of the threat.

Once you plug a USB
into a PC the only active thing is the USB software stack that is
already installed on your PC. The firmware on the device is completely
passive, it can’t initiate any communication to the PC and can only
respond to requests from the USB stack. The only attack vector is to
take advantage on some unknown bug in the USB stack where answers are
processed in order to send a malformed answer to some request that will
take advantage of this bug. But there is nothing new about that. Such
bugs are discovered from time to time and they are much more dangerous
in a network protocol drivers than in the USB stack.

Infecting
other USB devices with malicious firmware is nearly impossible. Not
every device has upgradable firmware. Firmware upgrade is NOT a standard
process. Every vendor has its own proprietary undisclosed method and
the method changes from time to time. You will need to reverse engineer
every device you want to infect in order to learn how to do it. An
active malware that wants to infect random device that is inserted into
the computer will need to rely on a database of hundred thousands of
devices.

Rafael Castro Merino

Usually the firmware is stored in a ROM memory, so it can’t be changed easily. Don’t mistake this kind of memory with the one in the USB. So if anyone really wants to mess with you, he or she is going to need to be physically in the same room with your keyboard.

Rafael Castro Merino

Even if i had planned an attack with the most evil intentions. Why bother ?. It seems very risky

S.k. Surain

I think this could be solved in no time. The manufacturers just need to produce an certified adapter that could just be purchased from authorized dealers where this adapter consist of several usb port branches, each with specialized acceptance for just one class of usb controller. This will save time, cost and our peace, all at once.

S.K.Surain

carol argo

Now i know why smartphone act up while using usb. grc.com and their allies were right ,certificate need to be fixed

onlyauser

All these flawed standards are deliberately designed to have a flaw, probably from advice of N-S-A National Stasi Agency of OhBama the gaylord pothead who is trying to convert the whole world into unholiness and fighting wars on those who dont agree.

Funny, to blow this up out of proportions and cause the sale of PS2 devices again… marketing strategy? ;)

In all seriousness though, 99% of users have nothing to worry about. Nobody will be affected as bad as they say.

WTF

“Massive, undetectable security flaw found in USB”

Hmmmm…..so you’re saying they detected the undetectable?

majenkins

Here ia the problem I have wth this article:

KC Garrett

If I were a researcher on this problem I would consider designing a USB dongle to use as an intermediary between the actual device and the computer USB port. It might be that you could devise a one-size-fits-all solution.

Matt Mitchell

The operating system could notify the user of attached devices, and if new devices are attached, so at least the user knows if something is fishy. If they plug in a phone and it comes up as a keyboard for instance.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.